NIS - 深入了解如何搭建NIS环境
1 环境准备
操作系统:CentOS7.2
Yptools和ypbind互相依赖,需要如下方式安装
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node2deps-centos72_1511]# rpm yp-tools-2.14-3.el7.x86_64.rpmypbind-1.37.1-7.el7.x86_64.rpm
网络拓扑:
-ivh
2 搭建
2.1 Masterserver 端配置 2.1.1 设置NIS域名
设置 NIS 的域名,新增如下内容: 临时设置:
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# nisdomainname hikuss 永久设置:
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# cat /etc/sysconfig/network # Created by anaconda # 设定nis的域名 NISDOMAIN=hikuss
# 设定nis固定在1011端口,方便设定防火墙规则 YPSERV_ARGS=\
2.1.2 设置hosts
设定IP地址与主机名的对应关系/etc/hosts,新增如下内容
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# cat /etc/hosts
192.168.192.90 node0 192.168.192.91 node1 192.168.192.92 node2
2.1.3 设置主要配置文件/etc/ypserv.conf 设定server端的主配置文件/etc/ypserv.conf
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# cat /etc/ypserv.conf #
# ypserv.conf Inthis file you can set certain options for the NIS server, # andyou can deny or restrict access to certain maps based # on theoriginating host. #
# Seeypserv.conf(5) for a description of the syntax. #
# Some options for ypserv. This things are all notneeded, if # you have a Linux net.
# NIS 服务器大多使用于内部局域网络,只要有/etc/hosts 即可,不用 DNS dns: no
# How many map file handles should be cached ?
# 默认会有30个数据库被读入内存当中,账号多的话,可以调大点。 files: 30
# Should we register ypserv with SLP ? # slp: no
# After how many seconds we should re-registerypserv with SLP ?
# slp_timeout: 3600
# xfr requests are only allowed from ports <1024 xfr_check_port: yes
# The following, when uncommented, will give you shadow like passwords. # Note that it will not work if you have slave NISservers in your # network that do not run the same server as you.
# 与 master/slave 有关,将同步更新的数据库比对所使用的端口,放置于 <1024 内。 # 底下则是设定限制客户端或 slave server查询的权限,利用冒号隔成四部分: # [主机名/IP] : [NIS域名] : [可用数据库名称map] : [安全限制security]
# [主机名/IP] :可以使用network/netmask 如 192.168.124.0/255.255.255.0 # [NIS域名] :hikuss
# [可用数据库名称]:就是由 NIS 制作出来的数据库名称;
# [安全限制] :包括没有限制 (none)、仅能使用 <1024 (port) 及拒绝 (deny) # 一般来说,你可以依照我们的网域来设定成为底下的模样:
# Host : Domain : Map : Security #
# * : * : passwd.byname : port # * : * : passwd.byuid : port 127.0.0.0/255.255.255.0 : * : * : none 192.168.192.0/255.255.255.0 : * : * : none * : * : * : deny
# 星号 (*) 代表任何数据都接受的意思。上面三行的意思是,1)开放 lo 内部接口、 # 2)开放内部 LAN 网域,3)且杜绝所有其他来源的 NIS 要求的意思。 # 还有一个简单作法,你可以先将上面三行批注,然后加入底下这一行即可: * : * : * : none
#这样会允许任何主机连接到 NIS server,可以配合防火墙规则再做过滤。
# Not everybody should see the shadow passwords,not secure, since # under MSDOG everbody is root and can access ports< 1024 !!! * : * : shadow.byname : port * : * : passwd.adjunct.byname : port
# If you comment out the next rule, ypserv andrpc.ypxfrd will
# look for YP_SECURE and YP_AUTHDES in the maps.This will make # the security check a little bit slower, but youonly have to
# change the keys on the master server, not theconfiguration files # on each NIS server.
# If you have maps with YP_SECURE or YP_AUTHDES,you should create # a rule for them above, that's much faster.
# * : * : * : none
2.1.4 设置防火墙
让yppasswdd启动在固定端口,方便防火墙管理
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# vi /etc/sysconfig/yppasswdd YPPASSWDD_ARGS=\
2.1.5 启动及开机启动 启动如下命令:
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# systemctlstart ypserv [root@node0 nis]# systemctlstart rpcbind
[root@node0 nis]# systemctl statrtyppasswdd.service 设置开机启动
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# systemctl enable ypserv Created symlink from/etc/systemd/system/multi-user.target.wants/ypserv.service to/usr/lib/systemd/system/ypserv.service. [root@node0 nis]# systemctl enable rpcbind Created symlink from/etc/systemd/system/sockets.target.wants/rpcbind.socket to/usr/lib/systemd/system/rpcbind.socket.
[root@node0 nis]# systemctl enableyppasswdd.service Created symlink from/etc/systemd/system/multi-user.target.wants/yppasswdd.service to/usr/lib/systemd/system/yppasswdd.service.
2.1.6 建立NIS账户和资料库 1. 新建5个账号
[python] view plain copy print?在CODE上查看代码片派生到我的代码片
[root@node0 nis]# for i in `seq 1 5`; do echo\nisuser$i=====%useradd -u 100$i nisuser$i; echopassword | passwd --stdin nisuser$i; done 2. 建立资料库
ypinit命令初始化主服务器和常见NIS映射表。默认的ypinit同make命令给出的操作一样。 按照提示 ctrl+D,确认即可完成资料库建立。
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# /usr/lib64/yp/ypinit -m
At this point, we have to construct a list of thehosts which will run NIS servers. node0 is in the list of NIS server hosts. Please continue to add the names for the other hosts, one per line. When you are done with the list, type a
next hostto add: node0 next hostto add:
The current list of NIS servers looks like this: node0
Is this correct? [y/n: y] y
We need a few minutes to build the databases... Building /var/yp/hikuss/ypservers... Running /var/yp/Makefile...
gmake[1]: Entering directory `/var/yp/hikuss' Updating passwd.byname... Updating passwd.byuid... Updating group.byname... Updating group.bygid... Updating hosts.byname... Updating hosts.byaddr... Updating rpc.byname... Updating rpc.bynumber... Updating services.byname...
Updating services.byservicename... Updating netid.byname...
Updating protocols.bynumber... Updating protocols.byname... Updating mail.aliases...
gmake[1]: Leaving directory `/var/yp/hikuss'
node0 has been set up as a NIS master server.
Now you can run ypinit -s node0 on all slaveserver. [root@node0 nis]#
2.1.7 更新NIS账户和资料库
在 server 端新增账号或者删除账号或者修改账号信息后,就得要重新制作数据库,make -C /var/yp
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# cd /var/yp [root@node0 yp]# make 或者
[python] view plain copy print?在CODE上查看代码片派生到我的代码片 [root@node0 nis]# make -C /var/yp make: Entering directory `/var/yp'
gmake[1]: Entering directory `/var/yp/hikuss' Updating netid.byname...
gmake[1]: Leaving directory `/var/yp/hikuss' make: Leaving directory `/var/yp' [root@node0 nis]#
把信息写进资料库,让后 client 端才可以读取到最新信息